Re: [Shorewall-users] Multiple ISP Issues

Wed, 20 Sep 2006 11:07:10 -0700 

[EMAIL PROTECTED] wrote:
>> [EMAIL PROTECTED] wrote:
>>
>>>> John -- please see
>>>> http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/known_problems.txt
>>>>
>>>> There is a fix available for this problem.
>>>>
>>> Where do I find this, Is it out of CVS or something?
>> You find the 'errata' sub-directory in the same directory as the
>> 'known_problems.txt' file that you are reading (namely
>> http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/)
>>
>>> Replace /usr/share/shorewall/firewall with the 'firewall' file from the
>>>     'errata' sub-directory.
>>>
>>> and will it also fix my issue of sending all my data out my secondary
>>> ISP?
>> That will depend on your marking rules -- you haven't shown those two us
>> since
>> you (presumably) followed the instructions in FAQ 58.
>>
> 
> Sorry, I have now replaced the firewall. That fixed the warnings on
> shorewall restart.
> 
> I am still having the same issue though.  Everything is being sent out my
> secondary ISP.
> 
> Here is my providers file
> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY        
> OPTIONS         COPY
> t1      1       1       main            w1g1chdl        65.88.235.145  
> track,balance   eth0
> dsl1    2       2       main            eth1            71.4.72.129    
> track,balance   eth0
> 
> Here is my tcrules file:
> 
> #MARK           SOURCE          DEST                    PROTO   PORT(S)
> CLIENT PORT(S)
> 1               eth0            0.0.0.0/0               tcp     sip,iax,ssh
> 1               eth0            0.0.0.0/0               udp     sip,iax
> 2               eth0            0.0.0.0/0               tcp    
> !sip,!iax,!ssh


All tcp traffic is getting mark value 2. The only traffic getting mark value 1
is UDP sip,aix. As pointed out in the tcrules documentation, the LAST rule that
matches determines the mark value.

Consequently the answer to FAQ 58 specifically says that you must put the
default mark first! (and I would leave off the protocol).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to